Vulnerability Summary

runc up to and including 1.0-rc6, as used in Docker prior to 18.09.2 and other products, allows malicious users to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Vendor Advisories

Synopsis
Important: docker security update
Type/Severity
Security Advisory: Important
Topic
An update for docker is now available for Red Hat Enterprise Linux 7 ExtrasRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base s ...

Synopsis
Important: container-tools:rhel8 security and bug fix update
Type/Severity
Security Advisory: Important
Topic
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Com ...

Synopsis
Important: runc security update
Type/Severity
Security Advisory: Important
Topic
An update for runc is now available for Red Hat Enterprise Linux 7 ExtrasRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score ...

Synopsis
Important: Container Development Kit 370-1 security update
Type/Severity
Security Advisory: Important
Topic
Red Hat Container Development Kit 370-1 update is now availableRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...

A vulnerability was discovered in runc, which is used by Docker to run containers runc did not prevent container processes from modifying the runc binary via /proc/self/exe A malicious container could replace the runc binary, resulting in container escape and privilege escalation This was fixed by creating a per-container copy of runc(CVE-2019- ...

A flaw was found in the way runc handled system file descriptors when running containers A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system ...

A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system
The vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe An attacker could exploit the vulnerability eithe ...

A vulnerability discovered in runc through 10-rc6, as used in Docker before 18092 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, ...

IBM Cloud Kubernetes Service is affected by a security vulnerability in runc which could allow an attacker that is authorized to run a process as root inside a container to execute arbitrary commands with root privileges on the container’s host system ...

IBM Cloud Private is affected by an issue with runc used by Docker The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host ...

Exploits

## CVE-2019-5736 ##
This is exploit code for CVE-2019-5736 (and it works for both runc and LXC)
The simplest way to use it is to copy the exploit code into an existing
container, and run `makesh` However, you could just as easily create a bad
image and run that
```console
% docker run --rm --name pwnme -dit ubuntu:1810 bash
pwnme
% docker cp ...

# Usage
Edit HOST inside `payloadc`, compile with `make` Start `nc` and run `pwnsh` inside the container
# Notes
- This exploit is destructive: it'll overwrite `/usr/bin/docker-runc` binary *on the host* with the
payload It'll also overwrite `/bin/sh` inside the container
- Tested only on Debian 9
- No attempts were made to make it stable o ...

Mailing Lists

On 2019-02-13, Loganaden Velvindron &lt;loganaden () gmail com&gt; wrote:
Yes, there is a PoC that someone outside of the embargo posted on
GitHub (it is quite different to the one we have but it is using a
related issue which our patch also fixed) At this point I might as well
post the actual exploit code (given that the original vulnerability
...

Someone outside of the embargo has posted a PoC of the exploit for
CVE-2019-5736 (which is related though not using the same vector)[1]
Since the original researchers have posted a blog post explaining the
exploit in some detail[2], I've decided to post the exploit code early
-- since the cat is out of the bag anyway
CVE-2019-5736tarxz has the ...

On Tue, Feb 12, 2019 at 12:05:20AM +1100, Aleksa Sarai wrote:
[]
While runc, LXC, and maybe other projects fix CVE-2019-5736 in userspace,
Virtuozzo/OpenVZ 7 has just released a kernel fix instead - please see
the forwarded message below Following links from there, I found the
following description of the issue in context of Virtuozzo and ...

Hello,
there is a container breakout currently discussed (CVE-2019-5736),
which affected LXC among others Let me share two more, IMHO easier,
breakout techniques that work against LXC, at least in Ubuntu 1810,
which has LXC 303 Both techniques work only in privileged
containers, and so, given that LXC upstream does not treat privileged
contai ...

Github Repositories

CVE-2019-5736-PoC
PoC for CVE-2019-5736
Created with help from @singe, @_cablethief, and @feexd
Tested on Ubuntu 1804, Debian 9, and Arch Linux Docker versions 18091-ce and 18031-ce This PoC does not currently work with Ubuntu 1604 and CentOS
Go checkout the exploit code from Dragon Sector (the people who discovered the vulnerability) here
What is it?
This is a Go imp

NVIDIA Container Runtime for Docker
Documentation
The full documentation and frequently asked questions are available on the repository wiki
An introduction to the NVIDIA Container Runtime is also covered in our blog post
Quickstart
Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites)
If you have a cus

Usage
Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container
Notes
This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the
payload It'll also overwrite /bin/sh inside the container
Tested only on Debian 9
No attempts were made to make it stable or reliable, it's only tested to work wh

RunC-CVE-2019-5736
Two POCs for CVE-2019-5736
See Twistlock Labs for an explanation of CVE-2019-5736 and the POCs
The malicious image POC is heavily based on q3k’s POC, so all credit goes to him
Running the POCs
Note that running the POCs will overwrite the runC binary on the host
It is highly recommened that you create a copy of your runC binary (normally at /usr/sbi

Exploit for CVE-2019-5736
Version 1 (inspired by original idea DragonSector)
use a maliciousso(which used by runc) with malicious entry point (like #!/proc/self/exe) to hijack the execution of runc, and then open '/proc/self/exe' to hold the file descriptor Then 'fork-exec' to run another process, and the child process will inherit the file descriptor F

NVIDIA Container Runtime for Docker
Documentation
The full documentation and frequently asked questions are available on the repository wiki
An introduction to the NVIDIA Container Runtime is also covered in our blog post
Quickstart
Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites)
If you have a cus

cve-2019-5736-exp
This is a proof-of-concept (PoC) exploit for the CVE-2019-5736 vulnerability in
runc, the runtime used in Docker
Disclaimer
I undertook this project as an exercise, for educational reasons and for fun
It should go without saying that I do not support unethical and/or illegal
misuse of this code
Description
The vulnerability was discovered by Adam Iwaniuk an

NVIDIA Container Runtime for Docker
Documentation
The full documentation and frequently asked questions are available on the repository wiki
An introduction to the NVIDIA Container Runtime is also covered in our blog post
Quickstart
Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites)
If you have a cus

CVE-2019-5736
This is exploit code for CVE-2019-5736 (and it works for both runc and LXC)
The simplest way to use it is to copy the exploit code into an existing
container, and run makesh However, you could just as easily create a bad
image and run that
% docker run --rm --name pwnme -dit ubuntu:1810 bash
pwnme
% docker cp CVE-2019-5736tar pwnme:/CVE-2019-5736tar
We need

Usage
Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container
Notes
This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the
payload It'll also overwrite /bin/sh inside the container
Tested only on Debian 9
No attempts were made to make it stable or reliable, it's only tested to work wh

CVE Builds for legacy docker-runc
This repo provides a backport of patches for CVE-2019-5736 for older versions of runc
that were packaged with Docker
Build and Releases
Refer to the releases section of this repo for the binaries In order to build yourself,
or build for different architectures, just run make and the binaries will end up in
/dist
The binaries will be of the

$50 million CTF Writeup
Summary
For a brief overview of the challenge you can take a look at the following image:
Below I will detail each step that I took to solve the CTF, moreover all the bad assumptions that led me to a dead end in some cases
Twitter
The CTF begins with this tweet:
What is this binary?
My first thought was try to decode the binary on image’s backg

Kaosagnt's Ansible Everyday Utils
This project contains many of the Ansible playbooks that I use daily
as a Systems Administrator in the pursuit of easy server task automation
Installation
You will need to setup and install Ansible like you normally would before
using what is presented here Hint: it uses ansible wwwansiblecom
Optional:
Create an ansible-everyd

Awesome CVE PoC
A curated list of CVE PoCs
Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security
Please read the contribution guidelines before contributing
This repo is full of PoCs for CVEs
If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

runc, a building-block project for the container technologies used by many enterprises as well as public cloud providers, has patched a vulnerability that would allow root-level code-execution, container escape and access to the host filesystem.
Discovered by researchers Adam Iwaniuk and Borys Popławski, the vulnerability (CVE-2019-5736) “allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,”...

Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.
"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for c...